<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  
  
  <meta name="description" content="别让你的服务器(vps)沦为肉鸡(ssh暴力破解)，密钥验证、双向因子登录值得拥有​    如果你购买了阿里云、腾讯云或者华为云等国内云服务上的服务器，默认登录都是以密码的方式，这就给潜在的渗透带来了机会，因为当你的linux服务器暴露在外网当中时，服务器就极有可能会遭到互联网上的扫描软件进行扫描，" />
  

  
  
  
  
  
  
  <title>服务器问题 | 南辞的技术博客</title>
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  <meta name="description" content="别让你的服务器(vps)沦为肉鸡(ssh暴力破解)，密钥验证、双向因子登录值得拥有​    如果你购买了阿里云、腾讯云或者华为云等国内云服务上的服务器，默认登录都是以密码的方式，这就给潜在的渗透带来了机会，因为当你的linux服务器暴露在外网当中时，服务器就极有可能会遭到互联网上的扫描软件进行扫描，然后试图连接ssh端口进行暴力破解（穷举扫描），如果你不采取相对应的措施，迟早有一天服务器会被渗透者">
<meta property="og:type" content="article">
<meta property="og:title" content="服务器问题">
<meta property="og:url" content="https://yanlidoushikeke.gitee.io/myhexo/2021/04/23/%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%97%AE%E9%A2%98/index.html">
<meta property="og:site_name" content="南辞的技术博客">
<meta property="og:description" content="别让你的服务器(vps)沦为肉鸡(ssh暴力破解)，密钥验证、双向因子登录值得拥有​    如果你购买了阿里云、腾讯云或者华为云等国内云服务上的服务器，默认登录都是以密码的方式，这就给潜在的渗透带来了机会，因为当你的linux服务器暴露在外网当中时，服务器就极有可能会遭到互联网上的扫描软件进行扫描，然后试图连接ssh端口进行暴力破解（穷举扫描），如果你不采取相对应的措施，迟早有一天服务器会被渗透者">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://v3u.cn/v3u/Public/js/editor/attached/20200819120852_98164.png">
<meta property="og:image" content="https://v3u.cn/v3u/Public/js/editor/attached/20200819130801_34751.png">
<meta property="og:image" content="https://v3u.cn/v3u/Public/js/editor/attached/20200819130812_35007.png">
<meta property="article:published_time" content="2021-04-23T07:19:24.000Z">
<meta property="article:modified_time" content="2021-04-23T07:20:18.261Z">
<meta property="article:author" content="南辞">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://v3u.cn/v3u/Public/js/editor/attached/20200819120852_98164.png">
  
  
    <link rel="icon" href="/tefuir/css/images/favicon.ico">
  
  
<link rel="stylesheet" href="/tefuir/css/style.css">

  

  
  <!-- baidu webmaster push -->
  <script src='//push.zhanzhang.baidu.com/push.js'></script>
<meta name="generator" content="Hexo 5.2.0"><link rel="alternate" href="/tefuir/atom.xml" title="南辞的技术博客" type="application/atom+xml">
</head>
<body class="home blog custom-background custom-font-enabled single-author">
  <div id="page" class="hfeed site">
      <header id="masthead" class="site-header" role="banner">
    <hgroup>
      <h1 class="site-title">
        <a href="/tefuir/" title="南辞的技术博客" rel="home">南辞的技术博客</a>
      </h1>
      
        <h2 class="site-description hitokoto"></h2>
        <script type="text/javascript" src="https://v1.hitokoto.cn/?encode=js"></script>
      
    </hgroup>

    <nav id="site-navigation" class="main-navigation" role="navigation">
            <button class="menu-toggle">菜单</button>
            <a class="assistive-text" href="/#content" title="跳至内容">跳至内容</a><!--TODO-->
            <div class="menu-main-container">
                <ul id="menu-main" class="nav-menu">
                
                    <li class="menu-item menu-item-type-post_type menu-item-object-page"><a href="/tefuir/">Home</a></li>
                
                    <li class="menu-item menu-item-type-post_type menu-item-object-page"><a href="/tefuir/archives">Archives</a></li>
                
                </ul>
            </div>
    </nav>
</header>

      <div id="main" class="wrapper">
        <div id="primary" class="site-content"><div id="content" role="main"><article id="post-服务器问题" class="post-服务器问题 post type-post status-publish format-standard hentry">
    <!---->

      <header class="entry-header">
        
        
  
    <h1 class="entry-title article-title">
      服务器问题
    </h1>
  

        
        <div class="comments-link">
            
            <a href="javascript:void(0);" data-url="https://yanlidoushikeke.gitee.io/myhexo/2021/04/23/%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%97%AE%E9%A2%98/" data-id="cknzsqft9000554u07fxj6e98" class="leave-reply bdsharebuttonbox" data-cmd="more">Share</a>
        </div><!-- .comments-link -->
      </header><!-- .entry-header -->

    <div class="entry-content">
      
        <h1 id="别让你的服务器-vps-沦为肉鸡-ssh暴力破解-，密钥验证、双向因子登录值得拥有"><a href="#别让你的服务器-vps-沦为肉鸡-ssh暴力破解-，密钥验证、双向因子登录值得拥有" class="headerlink" title="别让你的服务器(vps)沦为肉鸡(ssh暴力破解)，密钥验证、双向因子登录值得拥有"></a>别让你的服务器(vps)沦为肉鸡(ssh暴力破解)，密钥验证、双向因子登录值得拥有</h1><p>​    如果你购买了阿里云、腾讯云或者华为云等国内云服务上的服务器，默认登录都是以密码的方式，这就给潜在的渗透带来了机会，因为当你的linux服务器暴露在外网当中时，服务器就极有可能会遭到互联网上的扫描软件进行扫描，然后试图连接ssh端口进行暴力破解（穷举扫描），如果你不采取相对应的措施，迟早有一天服务器会被渗透者攻陷，这也就解释了为什么google cloud（谷歌云）和aws（亚马逊云）默认都是以秘钥的方式登录服务器。</p>
<p>​    基于密钥的安全验证必须为用户自己创建一对密钥（公钥和私钥），并把公钥放在需要访问的服务器上。当需要连接到远程服务器上时，客户端软件就会向服务器发出请求，请求使用私钥进行安全验证。服务器收到请求之后，先在该用户的根目录下寻找公钥，然后把它和发送过来的密钥进行比较。如果两个密钥一致，服务器就用公有的密钥加密“质询”，并把它发送给客户端软件（moba、iTerm）。客户端收到质询之后，就可以用本地的私人密钥解密再把它发送给服务器，这种方式是相当安全的，之前做支付宝支付我们就使用过秘钥的方式来加强支付安全性，详见：<a target="_blank" rel="noopener" href="https://v3u.cn/a_id_61">在Mac系统下生成新版支付宝（2019年4月）支付接口私钥和公钥</a>。</p>
<p>​    本次我们将服务器的登录方式改造成秘钥+密码的形式，提高安全性，这里以Centos7.6为例子。</p>
<p>​    首先登录到服务器中，执行命令生成秘钥</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh-keygen -t rsa</span><br></pre></td></tr></table></figure>

<p>​    返回信息：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">Generating public&#x2F;private rsa key pair.</span><br><span class="line"></span><br><span class="line">Enter file in which to save the key (.ssh&#x2F;id_rsa): &#x2F;&#x2F;直接回车，这是秘钥的地址</span><br><span class="line"></span><br><span class="line">Enter passphrase (empty for no passphrase):  &#x2F;&#x2F;输入密钥密码（如果不设置，请直接回车。强烈建议输入1个密码- -）</span><br><span class="line"></span><br><span class="line">Enter same passphrase again:  &#x2F;&#x2F;重复密钥密码</span><br></pre></td></tr></table></figure>

<p>​    之后将~/.ssh/id_rsa.pub 复制到 ~/.ssh/authorized_keys,并且赋予权限。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">cat ~&#x2F;.ssh&#x2F;id_rsa.pub &gt;&gt; ~&#x2F;.ssh&#x2F;authorized_keys</span><br><span class="line"></span><br><span class="line">chmod 600 ~&#x2F;.ssh&#x2F;authorized_keys</span><br></pre></td></tr></table></figure>

<p>​    随后修改/etc/ssh/sshd_config 文件，将PubkeyAuthentication 后面的值都改成yes ，保存。</p>
<p>​    重启sshd服务，让配置生效</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo service sshd restart</span><br></pre></td></tr></table></figure>

<p>​    此时，我们就可以测试一下是否可以用秘钥登录了，将服务器目录中的秘钥~/.ssh/id_rsa下载到本地</p>
<p>​    如果是windows用户，推荐使用MobaXterm，在ssh设置中，勾选使用秘钥并且选择本地秘钥即可。</p>
<p><img src="https://v3u.cn/v3u/Public/js/editor/attached/20200819120852_98164.png" alt="img"></p>
<p>​    如果平台是Mac os，这里推荐使用iTerm 4，同样在ssh设置中，选择运行ssh命令。</p>
<p><img src="https://v3u.cn/v3u/Public/js/editor/attached/20200819130801_34751.png" alt="img"></p>
<p>​    设置命令：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh -p 22 root@你的ip -i 你的秘钥地址</span><br></pre></td></tr></table></figure>

<p>​    如果使用秘钥登录成功了，我们就可以考虑停用密码验证登录方式，修改/etc/ssh/sshd_config 文件将PasswordAuthentication yes 修改成 PasswordAuthentication no。</p>
<p>​    重启ssh服务</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo service sshd restart</span><br></pre></td></tr></table></figure>

<p>​    这样安全性确实大大提升了，但是也不是滴水不漏，因为你本地电脑也是有可能被入侵的，也就是存储在本机电脑的私钥有几率被窃取，那么有没有方法可以杜绝这种情况呢？</p>
<p>​    答案是可以的，那就是使用双因子认证（Two-factor authentication），业内也叫两步认证，这项技术苹果和谷歌都是率先使用，尤其是苹果的icloud爆出艳照门之后，两步验证就显得至关重要。</p>
<p>​    双因子认证，除了需要验证用户名密码外，还要结合另外一种实物设备，如Rsa令牌，或者手机。</p>
<p>​    如果我们把传统的用户名密码验证称为单因子认证，那么对比双因子认证，他们的区别如下：</p>
<blockquote>
<p>1FA – What you know (e.g. a password, a pin)<br>2FA – What you have (e.g. a phone, a hardware token)<br>3FA – What you are (e.g. your fingerprints, you retina)</p>
</blockquote>
<p>​    是的，你没看错，还有三因子认证，也就是通过指纹和视网膜验证，这个在手机上很普遍，大家都不陌生。</p>
<p>​    双因子认证的产品大致可以分成两类：</p>
<p>​    1、可以产生token的硬件设备</p>
<p>​    2、智能手机的app</p>
<p>​    手机短信验证码，登录微信公众号时的扫码确认都可以称为双因子认证。双因子认证，还会结合一个只有你有的硬件设备。只要这个专属的硬件设备不丢失（察觉这个设备丢失，比用户名密码泄露，会容易很多），就可以大大地提升账号的安全性。</p>
<p>​    这里我们使用google-authenticator，开启服务器双因子认证。</p>
<p>​    首先，去google的android应用市场，或者apple的appStore去安装：“Google Authenticator（google身份验证器）”。</p>
<p>​    然后登录要开启双因子认证登录的服务器，进行为服务器安装依赖</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">yum -y install gcc gcc-c++ make wget pam-devel</span><br></pre></td></tr></table></figure>

<p>   安装Google Authenticator</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">wget http:&#x2F;&#x2F;google-authenticator.googlecode.com&#x2F;files&#x2F;libpam-google-authenticator-1.0-source.tar.bz2</span><br><span class="line">tar jxvf libpam-google-authenticator-1.0-source.tar.bz2</span><br><span class="line">cd libpam-google-authenticator-1.0</span><br><span class="line">make</span><br><span class="line">sudo make install</span><br></pre></td></tr></table></figure>

<p>​    使用SSH登录时调用google-authenticator模块</p>
<p>​    编辑文件/etc/pam.d/sshd，添加：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">auth   required     pam_google_authenticator.so</span><br></pre></td></tr></table></figure>

<p>​    再次编辑/etc/ssh/sshd_config，在文件中查找ChallengeResponseAuthentication和UsePAM，将后面的值改为 yes：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">ChallengeResponseAuthentication yes</span><br><span class="line">UsePAM yes</span><br></pre></td></tr></table></figure>

<p>​    再次重启ssh服务</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo service sshd restart</span><br></pre></td></tr></table></figure>

<p>​    随后，为用户root绑定认证</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">su -</span><br><span class="line">google-authenticator</span><br></pre></td></tr></table></figure>

<p>​    返回命令</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">Do you want authentication tokens to be time-based (y&#x2F;n) y</span><br><span class="line">https:&#x2F;&#x2F;www.google.com&#x2F;chart?chs&#x3D;200x200&amp;chld&#x3D;M|0&amp;cht&#x3D;qr&amp;chl&#x3D;otpauth:&#x2F;&#x2F;totp&#x2F;root@google%3Fsecret%3DCKHMVUVJNTPYSPTQ</span><br><span class="line">Your new secret key is: CKHMVUVJNTPYSPTQ</span><br><span class="line">Your verification code is 734261</span><br><span class="line">Your emergency scratch codes are:</span><br><span class="line">68748337</span><br><span class="line">15176712</span><br><span class="line">30287010</span><br><span class="line">70585905</span><br><span class="line">38041521</span><br></pre></td></tr></table></figure>

<p>​    生成了共享秘钥：CKHMVUVJNTPYSPTQ</p>
<p>​    接着一路yes</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">Do you want me to update your &quot;&#x2F;root&#x2F;.google_authenticator&quot; file (y&#x2F;n) y</span><br><span class="line"></span><br><span class="line">Do you want to disallow multiple uses of the same authentication</span><br><span class="line">token? This restricts you to one login about every 30s, but it increases</span><br><span class="line">your chances to notice or even prevent man-in-the-middle attacks (y&#x2F;n) y</span><br><span class="line"></span><br><span class="line">By default, tokens are good for 30 seconds and in order to compensate for</span><br><span class="line">possible time-skew between the client and the server, we allow an extra</span><br><span class="line">token before and after the current time. If you experience problems with poor</span><br><span class="line">time synchronization, you can increase the window from its default</span><br><span class="line">size of 1:30min to about 4min. Do you want to do so (y&#x2F;n) y</span><br><span class="line"></span><br><span class="line">If the computer that you are logging into isn&#39;t hardened against brute-force</span><br><span class="line">login attempts, you can enable rate-limiting for the authentication module.</span><br><span class="line">By default, this limits attackers to no more than 3 login attempts every 30s.</span><br><span class="line">Do you want to enable rate-limiting (y&#x2F;n) y</span><br></pre></td></tr></table></figure>

<p>​    随后再次登录服务器，会让我们输入一个验证码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">verification code:</span><br></pre></td></tr></table></figure>

<p>​    此时打开手机上的google身份验证器App，输入对应的code即可</p>
<p><img src="https://v3u.cn/v3u/Public/js/editor/attached/20200819130812_35007.png" alt="img"></p>

      
    </div><!-- .entry-content -->

    <footer class="entry-meta">
    <a href="/tefuir/2021/04/23/%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%97%AE%E9%A2%98/">
    <time datetime="2021-04-23T07:19:24.000Z" class="entry-date">
        2021-04-23
    </time>
</a>
    
    
    </footer>
</article>


    
<nav class="nav-single">
    <h3 class="assistive-text">文章导航</h3>
    
        <span class="nav-previous"><a href="/tefuir/2021/04/23/win10%E7%B3%BB%E7%BB%9F%E4%B8%8B%E5%9F%BA%E4%BA%8Edocker%E9%85%8D%E7%BD%AEelasticsearch%E9%85%8D%E5%90%88python3%E8%BF%9B%E8%A1%8C%E5%85%A8%E6%96%87%E6%A3%80%E7%B4%A2/" rel="prev"><span class="meta-nav">←</span> win10系统下基于docker配置elasticsearch配合python3进行全文检索</a></span>
    
    
        <span class="nav-next"><a href="/tefuir/2021/04/23/%E5%89%8D%E5%90%8E%E7%AB%AF%E5%88%86%E7%A6%BB%E5%AE%9E%E7%8E%B0%E5%BE%AE%E4%BF%A1%E6%94%AF%E4%BB%98/" rel="next">前后端分离实现微信支付 <span class="meta-nav">→</span></a></span>
    
</nav><!-- .nav-single -->







</div></div>
        <div id="secondary" class="widget-area" role="complementary">
  
    <aside id="search" class="widget widget_search"><form role="search" method="get" accept-charset="utf-8" id="searchform" class="searchform" action="//google.com/search">
    <div>
        <input type="text" value="" name="s" id="s" />
        <input type="submit" id="searchsubmit" value="搜索" />
    </div>
</form></aside>
  
    
  
    
  
    
  <aside class="widget">
    <h3 class="widget-title">Recents</h3>
    <div class="widget-content">
      <ul>
        
          <li>
            <a href="/tefuir/2021/04/26/python%E5%9F%BA%E7%A1%80%E7%90%86%E8%AE%BA%E5%AE%9D%E5%85%B8/">python基础理论宝典</a>
          </li>
        
          <li>
            <a href="/tefuir/2021/04/23/python3-Flask%E7%BB%93%E5%90%88Socket-io%E7%AE%80%E5%8D%95%E5%AE%9E%E7%8E%B0%E5%9C%A8%E7%BA%BF%E5%AE%A2%E6%9C%8D%E7%B3%BB%E7%BB%9F/">python3+Flask结合Socket.io简单实现在线客服系统</a>
          </li>
        
          <li>
            <a href="/tefuir/2021/04/23/win10%E7%B3%BB%E7%BB%9F%E4%B8%8B%E5%88%A9%E7%94%A8docker%E9%83%A8%E7%BD%B2gunicorn-Flask%E6%89%93%E9%80%A0%E7%8B%AC%E7%AB%8B%E9%95%9C%E5%83%8F/">win10系统下利用docker部署gunicorn+Flask打造独立镜像</a>
          </li>
        
          <li>
            <a href="/tefuir/2021/04/23/win10%E7%B3%BB%E7%BB%9F%E4%B8%8B%E5%9F%BA%E4%BA%8Edocker%E9%85%8D%E7%BD%AEelasticsearch%E9%85%8D%E5%90%88python3%E8%BF%9B%E8%A1%8C%E5%85%A8%E6%96%87%E6%A3%80%E7%B4%A2/">win10系统下基于docker配置elasticsearch配合python3进行全文检索</a>
          </li>
        
          <li>
            <a href="/tefuir/2021/04/23/%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%97%AE%E9%A2%98/">服务器问题</a>
          </li>
        
      </ul>
    </div>
  </aside>

  
    
  
    
  
</div>
      </div>
      <footer id="colophon" role="contentinfo">
    <p>&copy; 2021 南辞
    All rights reserved.</p>
    <p>Powered by <a href="http://hexo.io/" target="_blank">Hexo</a></p>
</footer>
    <script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"1","bdMiniList":false,"bdPic":"","bdStyle":"2","bdSize":"16"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='/js/share.js'];</script>

<script src="/js/jquery-3.3.1.min.js"></script>


  
<link rel="stylesheet" href="/tefuir/fancybox/jquery.fancybox.css">

  
<script src="/tefuir/fancybox/jquery.fancybox.pack.js"></script>




<script src="/tefuir/js/script.js"></script>


<script src="/js/navigation.js"></script>

<div id="bg"></div>

  </div>
</body>
</html>